Local Privilege

With the help of an article (https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/), I was able to find a PHP local file inclusion. I was then able to curl the page information and base64 decode it.

From upload.php I learn that only users that are logged in are authorized to upload. So I login to mysql using the credentials from config.php and dump the users table. They are base64 encoded, so I decode those as well.

I then upload the shell.gif into the uploader, and get the id of the file by browsing to the directory (http://192.168.56.103/upload/). Then I browse to index.php and tamper with the lang cookie using a proxy to invoke my malicious gif.

Now that I am mike, I move to the mike directory. where I find another SUID binary, but this time it is for root. I run strings to understand what it is doing. I come to learn that it is doing a basic string substitution that is a perfect basic command execution.

I find that advanced-video-embed-embed-videos-or-playlists - v1.0 has a local file inclusion vulnerability on Exploit-db. This can be found at: https://www.exploit-db.com/exploits/39646/. I am able to download the exploit and modify it for SSL using the following code.

With this vulnerability, I was able to download both wp-config.php and /etc/passwd. After executing the file, I browsed to: https://192.168.56.102:12380/blogblog/wp-content/uploads/ to see the random id assigned to my file. If you attempt to view this in the browser it will fail because it cannot render a configuration as a jpeg. I pulled down the text with curl.

I am then able to FTP login as Elly and pull down all the sensitive files. The most useful file to pull down is /etc/passwd and use it to ssh bruteforce. Using this, I am able to obtain a a local shell as SHayslett.

Privilege Escalation 2: SUID

Once I have a local shell, I can search for potential vulnerabilities using the Linux Priv Checker. This can be found at: http://www.securitysift.com/download/linuxprivchecker.py. Using this script, I am able to find a world writable cron job.

I am then able to change the world writable cron to my own suid setter file that I will make. I then create and compile that suid program. Once the cron is run, I will have a nice file to execute to get root.

Privilege Escalation 3: Kernel Exploit

Next, I find online the Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) at https://www.exploit-db.com/exploits/39772/. I download the exploit, untar the file, compile, and execute the exploit.

Saturday, January 30, 2016

After about four months of studying on and off, I passed the
CISSP certification exam. This test contains content that is one-inch deep and a mile wide. You are given six
hours to complete an extremely long 250-question exam. Although the test is long and questions are wordy, it is very fair with only a few tricky questions.

Study Materials

The most important resource I used was the Cybrary.it videos and best of
all it’s FREE. Kelly Handerhan KNOWS her stuff. She will cover all the content areas with the correct depth of information. Also, she will help you to know all the most important areas to focus on to pass
the exam.

The next few of resources I used were: the All-in-one
CISSP Study Guide by Shon Harris, CISSP
Practice Exams- Shon Harris, and McGraw-Hill
Practice Tests. For your information, Shon Harris wrote all of these
resources. The all-in-one book goes into a HUGE amount of unnecessary depth on all
the topics. I read it cover-to-cover and took all the tests. However, you might
be able get away with focusing on all the definitions. As for all of practice
tests, they were all more technical but just as wordy as the actual exam.Using these test questions, I was able to
practice deciphering wordy questions and my testing strategy given in the TIPS section of this blog post.

Lastly, I used 11th
hour CISSP study Guide - Eric Conrad for my final review. This book does a great job describing the application of concepts. However, I would not recommend only
using this book because the depth may be too shallow to be successful on the
exam. It really helps with tying together things you already know.

Exam

The test took me a little over 4 of the 6 hours. One of the
most important things I learned in my study was that not all domain areas are
created equal. If I had to rank the groups by prevalence it would be:

1. Information Security & Risk

2. Business Continuity

2. Access Control

4. Telecommunications

4. Software Dev

6. Crypto

7. Security Architecture

8. Legal

9. Physical

10. Operations

Note: There are significantly more of the top 5 domains than
the remaining ones.

Tips

Set a test date at a reasonable distance away and work to that date.
Without the exam cost hanging over your head, it is likely you won’t ever feel
“ready”.

Focus on the high level topics and their
application like a manager would. Do not focus in the nitty-gritty technical things or in-depth standard memorization. In this exam, you are there to point out problems and not to fix them.

Nine times out of ten if answer has more bureaucracy, it will be the correct one.

Don't get psyched out if questions are hard or weird. Those may just be beta questions that won't count against your score.

Due to the wordiness of the questions, it is
better to eliminate incorrect answers than to find the correct one. In most
questions, you can eliminate two incorrect answers, giving you now a 50/50
chance. Statistically, if you change 1000 possible answers to 500 in 250 questions,
even if you guess, you will be guessing close to 75%. This tool totally worked
for me!

TAKE CARE OF YOUR BODY! It will be much more
important to get a good night’s sleep the night before, than to cram more
information into your head. This is a LONG test that if you need to have endurance to pass. Make sure you are well-fed with light nutritious meals
so you won’t be sleepy.